Prophet Spider exploits CVE-2021-22941

CrowdStrike intelligence provides research of a recent attack by the threat group, Prophet Spider. The threat adversary exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. "From the exploit, the threat actors were able to upload a webshell to the IIS server." Following the exploitation, the attacker checked for connectivity using nslookup and utilized PowerShell with encoded and invoke-expression commands to download additional files. The threat group's preference for downloading and utilizing the "wget" utility has been observed in various operations.